When attacking any organization, some key reconnaissance the attacker look into is
- Applications the users in the organization is using
- Operating Systems
- Security Mechanism such as which AV Vendor
Having known this information the attacker sends an exploit which can be exploited by using some vulnerability in an application the intended persons uses.
This exploit should not be recognized by the AV the target org uses.
Generally, they use PDF exploits [zero day preferably] as most people use Adobe reader. In any well organized companies most of the critical softwares such as Adobe Reader is usually patched upto date.
So an alternate is use some other exploit that the victim uses. Some times social reconnaissance of weak users such as helpdesk can give you more information.
FOCA is one simple to use tool that downloads all the media files such as pdf, doc, xls etc., from the site and extract metacontent in those files. This information can be used maliciously by the attackers.
The Usernames identified can be useful for later purposes which can be username for some protected resources. Where bruteforce technique or password guessing techniques (with information from facebook, social engg) can be applied to crack into.
This metadata from various media files could be dangerous. There are some tools like MetashieldProtector which can be integrated to IIS which removes meta info when the files requested on a webserver.